| blob | 8756431a71aacc88debb9ccf8053748fa69ea5ae |
1 /*
2 * Copyright (C) 2011-2012 Free Software Foundation, Inc.
3 * Author: Simon Josefsson
4 *
5 * This file is part of GnuTLS.
6 *
7 * The GnuTLS is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public License
9 * as published by the Free Software Foundation; either version 3 of
10 * the License, or (at your option) any later version.
11 *
12 * This library is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public License
18 * along with this program. If not, see <http://www.gnu.org/licenses/>
19 *
20 */
22 /* Online Certificate Status Protocol - RFC 2560
23 */
25 #include <gnutls_int.h>
26 #include <gnutls_global.h>
27 #include <gnutls_errors.h>
28 #include <libtasn1.h>
29 #include <gnutls_pk.h>
33 #include <gnutls/ocsp.h>
34 #include <auth/cert.h>
37 {
38 ASN1_TYPE req;
42 {
43 ASN1_TYPE resp;
44 gnutls_datum_t response_type_oid;
45 ASN1_TYPE basicresp;
48 #define MAX_TIME 64
50 /**
51 * gnutls_ocsp_req_init:
52 * @req: The structure to be initialized
53 *
54 * This function will initialize an OCSP request structure.
55 *
56 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
57 * negative error value.
58 **/
59 int
61 {
71 {
75 }
80 }
82 /**
83 * gnutls_ocsp_req_deinit:
84 * @req: The structure to be deinitialized
85 *
86 * This function will deinitialize a OCSP request structure.
87 **/
88 void
90 {
100 }
102 /**
103 * gnutls_ocsp_resp_init:
104 * @resp: The structure to be initialized
105 *
106 * This function will initialize an OCSP response structure.
107 *
108 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
109 * negative error value.
110 **/
111 int
113 {
123 {
127 }
132 {
137 }
142 }
144 /**
145 * gnutls_ocsp_resp_deinit:
146 * @resp: The structure to be deinitialized
147 *
148 * This function will deinitialize a OCSP response structure.
149 **/
150 void
152 {
167 }
169 /**
170 * gnutls_ocsp_req_import:
171 * @req: The structure to store the parsed request.
172 * @data: DER encoded OCSP request.
173 *
174 * This function will convert the given DER encoded OCSP request to
175 * the native #gnutls_ocsp_req_t format. The output will be stored in
176 * @req.
177 *
178 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
179 * negative error value.
180 **/
181 int
184 {
188 {
191 }
194 {
195 /* Any earlier asn1_der_decoding will modify the ASN.1
196 structure, so we need to replace it with a fresh
197 structure. */
203 {
206 }
207 }
211 {
214 }
217 }
219 /**
220 * gnutls_ocsp_resp_import:
221 * @resp: The structure to store the parsed response.
222 * @data: DER encoded OCSP response.
223 *
224 * This function will convert the given DER encoded OCSP response to
225 * the native #gnutls_ocsp_resp_t format. It also decodes the Basic
226 * OCSP Response part, if any. The output will be stored in @resp.
227 *
228 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
229 * negative error value.
230 **/
231 int
234 {
238 {
241 }
244 {
245 /* Any earlier asn1_der_decoding will modify the ASN.1
246 structure, so we need to replace it with a fresh
247 structure. */
253 {
256 }
257 }
261 {
264 }
272 {
275 }
282 {
283 gnutls_datum_t d;
286 {
292 {
295 }
296 }
301 {
304 }
309 {
312 }
313 }
314 else
318 }
320 static int
322 {
328 {
331 }
338 {
341 }
344 }
346 /**
347 * gnutls_ocsp_req_export:
348 * @req: Holds the OCSP request
349 * @data: newly allocate buffer holding DER encoded OCSP request
350 *
351 * This function will export the OCSP request to DER format.
352 *
353 * Returns: In case of failure a negative error code will be
354 * returned, and 0 on success.
355 **/
356 int
358 {
362 {
365 }
367 /* XXX remove when we support these fields */
371 /* prune extension field if we don't have any extension */
377 }
379 /**
380 * gnutls_ocsp_resp_export:
381 * @resp: Holds the OCSP response
382 * @data: newly allocate buffer holding DER encoded OCSP response
383 *
384 * This function will export the OCSP response to DER format.
385 *
386 * Returns: In case of failure a negative error code will be
387 * returned, and 0 on success.
388 **/
389 int
391 {
393 {
396 }
399 }
401 /**
402 * gnutls_ocsp_req_get_version:
403 * @req: should contain a #gnutls_ocsp_req_t structure
404 *
405 * This function will return the version of the OCSP request.
406 * Typically this is always 1 indicating version 1.
407 *
408 * Returns: version of OCSP request, or a negative error code on error.
409 **/
410 int
412 {
417 {
420 }
425 {
430 }
433 }
435 /**
436 * gnutls_ocsp_req_get_cert_id:
437 * @req: should contain a #gnutls_ocsp_req_t structure
438 * @indx: Specifies which extension OID to get. Use (0) to get the first one.
439 * @digest: output variable with #gnutls_digest_algorithm_t hash algorithm
440 * @issuer_name_hash: output buffer with hash of issuer's DN
441 * @issuer_key_hash: output buffer with hash of issuer's public key
442 * @serial_number: output buffer with serial number of certificate to check
443 *
444 * This function will return the certificate information of the
445 * @indx'ed request in the OCSP request. The information returned
446 * corresponds to the CertID structure:
447 *
448 * <informalexample><programlisting>
449 * CertID ::= SEQUENCE {
450 * hashAlgorithm AlgorithmIdentifier,
451 * issuerNameHash OCTET STRING, -- Hash of Issuer's DN
452 * issuerKeyHash OCTET STRING, -- Hash of Issuers public key
453 * serialNumber CertificateSerialNumber }
454 * </programlisting></informalexample>
455 *
456 * Each of the pointers to output variables may be NULL to indicate
457 * that the caller is not interested in that value.
458 *
459 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
460 * negative error code is returned. If you have reached the last
461 * CertID available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be
462 * returned.
463 **/
464 int
471 {
472 gnutls_datum_t sa;
477 {
480 }
489 {
492 }
497 {
500 }
506 {
511 {
514 }
515 }
518 {
523 {
528 }
529 }
532 {
537 {
544 }
545 }
548 }
550 /**
551 * gnutls_ocsp_req_add_cert_id:
552 * @req: should contain a #gnutls_ocsp_req_t structure
553 * @digest: hash algorithm, a #gnutls_digest_algorithm_t value
554 * @issuer_name_hash: hash of issuer's DN
555 * @issuer_key_hash: hash of issuer's public key
556 * @serial_number: serial number of certificate to check
557 *
558 * This function will add another request to the OCSP request for a
559 * particular certificate having the issuer name hash of
560 * @issuer_name_hash and issuer key hash of @issuer_key_hash (both
561 * hashed using @digest) and serial number @serial_number.
562 *
563 * The information needed corresponds to the CertID structure:
564 *
565 * <informalexample><programlisting>
566 * CertID ::= SEQUENCE {
567 * hashAlgorithm AlgorithmIdentifier,
568 * issuerNameHash OCTET STRING, -- Hash of Issuer's DN
569 * issuerKeyHash OCTET STRING, -- Hash of Issuers public key
570 * serialNumber CertificateSerialNumber }
571 * </programlisting></informalexample>
572 *
573 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
574 * negative error code is returned.
575 **/
576 int
578 gnutls_digest_algorithm_t digest,
582 {
588 {
591 }
595 {
598 }
602 {
605 }
607 result = asn1_write_value
611 {
614 }
616 /* XXX we don't support any algorithm with parameters */
617 result = asn1_write_value
621 {
624 }
626 result = asn1_write_value
630 {
633 }
635 result = asn1_write_value
639 {
642 }
644 result = asn1_write_value
648 {
651 }
653 /* XXX add separate function that can add extensions too */
654 result = asn1_write_value
658 {
661 }
664 }
666 /**
667 * gnutls_ocsp_req_add_cert:
668 * @req: should contain a #gnutls_ocsp_req_t structure
669 * @digest: hash algorithm, a #gnutls_digest_algorithm_t value
670 * @issuer: issuer of @subject certificate
671 * @cert: certificate to request status for
672 *
673 * This function will add another request to the OCSP request for a
674 * particular certificate. The issuer name hash, issuer key hash, and
675 * serial number fields is populated as follows. The issuer name and
676 * the serial number is taken from @cert. The issuer key is taken
677 * from @issuer. The hashed values will be hashed using the @digest
678 * algorithm, normally %GNUTLS_DIG_SHA1.
679 *
680 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
681 * negative error code is returned.
682 **/
683 int
685 gnutls_digest_algorithm_t digest,
686 gnutls_x509_crt_t issuer,
687 gnutls_x509_crt_t cert)
688 {
697 {
700 }
706 {
709 }
714 {
717 }
721 ret = _gnutls_x509_read_value
725 {
728 }
733 {
736 }
743 {
746 }
751 {
754 }
757 }
759 /**
760 * gnutls_ocsp_req_get_extension:
761 * @req: should contain a #gnutls_ocsp_req_t structure
762 * @indx: Specifies which extension OID to get. Use (0) to get the first one.
763 * @oid: will hold newly allocated buffer with OID of extension, may be NULL
764 * @critical: output variable with critical flag, may be NULL.
765 * @data: will hold newly allocated buffer with extension data, may be NULL
766 *
767 * This function will return all information about the requested
768 * extension in the OCSP request. The information returned is the
769 * OID, the critical flag, and the data itself. The extension OID
770 * will be stored as a string. Any of @oid, @critical, and @data may
771 * be NULL which means that the caller is not interested in getting
772 * that information back.
773 *
774 * The caller needs to deallocate memory by calling gnutls_free() on
775 * @oid->data and @data->data.
776 *
777 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
778 * negative error code is returned. If you have reached the last
779 * extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will
780 * be returned.
781 **/
782 int
788 {
795 {
798 }
807 {
810 }
813 {
816 else
818 }
821 {
826 {
829 }
830 }
833 {
838 {
843 }
844 }
847 }
849 /**
850 * gnutls_ocsp_req_set_extension:
851 * @req: should contain a #gnutls_ocsp_req_t structure
852 * @oid: buffer with OID of extension as a string.
853 * @critical: critical flag, normally false.
854 * @data: the extension data
855 *
856 * This function will add an extension to the OCSP request. Calling
857 * this function multiple times for the same OID will overwrite values
858 * from earlier calls.
859 *
860 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
861 * negative error code is returned.
862 **/
863 int
868 {
870 {
873 }
877 }
879 /**
880 * gnutls_ocsp_req_get_nonce:
881 * @req: should contain a #gnutls_ocsp_req_t structure
882 * @critical: whether nonce extension is marked critical, or NULL
883 * @nonce: will hold newly allocated buffer with nonce data
884 *
885 * This function will return the OCSP request nonce extension data.
886 *
887 * The caller needs to deallocate memory by calling gnutls_free() on
888 * @nonce->data.
889 *
890 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
891 * negative error code is returned.
892 **/
893 int
897 {
900 gnutls_datum_t tmp;
903 {
906 }
912 {
915 }
920 {
924 }
928 {
932 }
938 {
941 }
945 }
947 /**
948 * gnutls_ocsp_req_set_nonce:
949 * @req: should contain a #gnutls_ocsp_req_t structure
950 * @critical: critical flag, normally false.
951 * @nonce: the nonce data
952 *
953 * This function will add an nonce extension to the OCSP request.
954 * Calling this function multiple times will overwrite values from
955 * earlier calls.
956 *
957 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
958 * negative error code is returned.
959 **/
960 int
964 {
966 gnutls_datum_t dernonce;
971 {
974 }
981 {
984 }
994 {
997 }
1000 }
1002 /**
1003 * gnutls_ocsp_req_randomize_nonce:
1004 * @req: should contain a #gnutls_ocsp_req_t structure
1005 *
1006 * This function will add or update an nonce extension to the OCSP
1007 * request with a newly generated random value.
1008 *
1009 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1010 * negative error code is returned.
1011 **/
1012 int
1014 {
1020 {
1023 }
1027 {
1030 }
1034 {
1037 }
1040 }
1042 /**
1043 * gnutls_ocsp_resp_get_status:
1044 * @resp: should contain a #gnutls_ocsp_resp_t structure
1045 *
1046 * This function will return the status of a OCSP response, an
1047 * #gnutls_ocsp_resp_status_t enumeration.
1048 *
1049 * Returns: status of OCSP request as a #gnutls_ocsp_resp_status_t, or
1050 * a negative error code on error.
1051 **/
1052 int
1054 {
1059 {
1062 }
1067 {
1070 }
1073 {
1083 }
1086 }
1088 /**
1089 * gnutls_ocsp_resp_get_response:
1090 * @resp: should contain a #gnutls_ocsp_resp_t structure
1091 * @response_type_oid: newly allocated output buffer with response type OID
1092 * @response: newly allocated output buffer with DER encoded response
1093 *
1094 * This function will extract the response type OID in and the
1095 * response data from an OCSP response. Normally the
1096 * @response_type_oid is always "1.3.6.1.5.5.7.48.1.1" which means the
1097 * @response should be decoded as a Basic OCSP Response, but
1098 * technically other response types could be used.
1099 *
1100 * This function is typically only useful when you want to extract the
1101 * response type OID of an response for diagnostic purposes.
1102 * Otherwise gnutls_ocsp_resp_import() will decode the basic OCSP
1103 * response part and the caller need not worry about that aspect.
1104 *
1105 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1106 * negative error value.
1107 **/
1108 int
1112 {
1116 {
1119 }
1122 {
1126 {
1129 }
1130 }
1133 {
1137 {
1140 }
1141 }
1144 }
1146 /**
1147 * gnutls_ocsp_resp_get_version:
1148 * @resp: should contain a #gnutls_ocsp_resp_t structure
1149 *
1150 * This function will return the version of the Basic OCSP Response.
1151 * Typically this is always 1 indicating version 1.
1152 *
1153 * Returns: version of Basic OCSP response, or a negative error code
1154 * on error.
1155 **/
1156 int
1158 {
1163 {
1166 }
1171 {
1176 }
1179 }
1181 /**
1182 * gnutls_ocsp_resp_get_responder:
1183 * @resp: should contain a #gnutls_ocsp_resp_t structure
1184 * @dn: newly allocated buffer with name
1185 *
1186 * This function will extract the name of the Basic OCSP Response in
1187 * the provided buffer. The name will be in the form
1188 * "C=xxxx,O=yyyy,CN=zzzz" as described in RFC2253. The output string
1189 * will be ASCII or UTF-8 encoded, depending on the certificate data.
1190 *
1191 * The caller needs to deallocate memory by calling gnutls_free() on
1192 * @dn->data.
1193 *
1194 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1195 * negative error code is returned.
1196 **/
1197 int
1200 {
1205 {
1208 }
1210 ret = _gnutls_x509_parse_dn
1214 {
1217 }
1221 {
1224 }
1226 ret = _gnutls_x509_parse_dn
1230 {
1233 }
1238 }
1240 /**
1241 * gnutls_ocsp_resp_get_produced:
1242 * @resp: should contain a #gnutls_ocsp_resp_t structure
1243 *
1244 * This function will return the time when the OCSP response was
1245 * signed.
1246 *
1247 * Returns: signing time, or (time_t)-1 on error.
1248 **/
1249 time_t
1251 {
1257 {
1260 }
1266 {
1269 }
1274 }
1276 /**
1277 * gnutls_ocsp_resp_check_crt:
1278 * @resp: should contain a #gnutls_ocsp_resp_t structure
1279 * @indx: Specifies response number to get. Use (0) to get the first one.
1280 * @crt: The certificate to check
1281 *
1282 * This function will check whether the OCSP response
1283 * is about the provided certificate.
1284 *
1285 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1286 * negative error code is returned.
1287 **/
1288 int
1291 gnutls_x509_crt_t crt)
1292 {
1294 gnutls_digest_algorithm_t digest;
1307 {
1310 }
1314 {
1317 }
1322 {
1325 }
1330 {
1333 }
1336 {
1340 }
1344 {
1347 }
1351 {
1354 }
1357 {
1361 }
1365 cleanup:
1372 }
1374 /**
1375 * gnutls_ocsp_resp_get_single:
1376 * @resp: should contain a #gnutls_ocsp_resp_t structure
1377 * @indx: Specifies response number to get. Use (0) to get the first one.
1378 * @digest: output variable with #gnutls_digest_algorithm_t hash algorithm
1379 * @issuer_name_hash: output buffer with hash of issuer's DN
1380 * @issuer_key_hash: output buffer with hash of issuer's public key
1381 * @serial_number: output buffer with serial number of certificate to check
1382 * @cert_status: a certificate status, a #gnutls_ocsp_cert_status_t enum.
1383 * @this_update: time at which the status is known to be correct.
1384 * @next_update: when newer information will be available, or (time_t)-1 if unspecified
1385 * @revocation_time: when @cert_status is %GNUTLS_OCSP_CERT_REVOKED, holds time of revocation.
1386 * @revocation_reason: revocation reason, a #gnutls_x509_crl_reason_t enum.
1387 *
1388 * This function will return the certificate information of the
1389 * @indx'ed response in the Basic OCSP Response @resp. The
1390 * information returned corresponds to the OCSP SingleResponse structure
1391 * except the final singleExtensions.
1392 *
1393 * Each of the pointers to output variables may be NULL to indicate
1394 * that the caller is not interested in that value.
1395 *
1396 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1397 * negative error code is returned. If you have reached the last
1398 * CertID available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be
1399 * returned.
1400 **/
1401 int
1413 {
1414 gnutls_datum_t sa;
1425 {
1428 }
1433 {
1436 }
1442 {
1449 {
1452 }
1453 }
1456 {
1463 {
1468 }
1469 }
1472 {
1479 {
1486 }
1487 }
1490 {
1498 {
1501 }
1508 else
1509 {
1513 }
1515 }
1518 {
1528 {
1531 }
1532 else
1534 }
1537 {
1547 {
1550 }
1551 else
1553 }
1556 {
1561 "tbsResponseData.responses.?%u.certStatus."
1567 {
1570 }
1571 else
1573 }
1575 /* revocation_reason */
1577 {
1579 "tbsResponseData.responses.?%u.certStatus."
1584 revocation_reason);
1587 }
1590 }
1592 /**
1593 * gnutls_ocsp_resp_get_extension:
1594 * @resp: should contain a #gnutls_ocsp_resp_t structure
1595 * @indx: Specifies which extension OID to get. Use (0) to get the first one.
1596 * @oid: will hold newly allocated buffer with OID of extension, may be NULL
1597 * @critical: output variable with critical flag, may be NULL.
1598 * @data: will hold newly allocated buffer with extension data, may be NULL
1599 *
1600 * This function will return all information about the requested
1601 * extension in the OCSP response. The information returned is the
1602 * OID, the critical flag, and the data itself. The extension OID
1603 * will be stored as a string. Any of @oid, @critical, and @data may
1604 * be NULL which means that the caller is not interested in getting
1605 * that information back.
1606 *
1607 * The caller needs to deallocate memory by calling gnutls_free() on
1608 * @oid->data and @data->data.
1609 *
1610 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1611 * negative error code is returned. If you have reached the last
1612 * extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will
1613 * be returned.
1614 **/
1615 int
1621 {
1628 {
1631 }
1641 {
1644 }
1647 {
1650 else
1652 }
1655 {
1660 {
1663 }
1664 }
1667 {
1672 {
1677 }
1678 }
1681 }
1683 /**
1684 * gnutls_ocsp_resp_get_nonce:
1685 * @resp: should contain a #gnutls_ocsp_resp_t structure
1686 * @critical: whether nonce extension is marked critical
1687 * @nonce: will hold newly allocated buffer with nonce data
1688 *
1689 * This function will return the Basic OCSP Response nonce extension
1690 * data.
1691 *
1692 * The caller needs to deallocate memory by calling gnutls_free() on
1693 * @nonce->data.
1694 *
1695 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1696 * negative error code is returned.
1697 **/
1698 int
1702 {
1705 gnutls_datum_t tmp;
1711 {
1714 }
1719 {
1723 }
1727 {
1731 }
1737 {
1740 }
1744 }
1746 /**
1747 * gnutls_ocsp_resp_get_signature_algorithm:
1748 * @resp: should contain a #gnutls_ocsp_resp_t structure
1749 *
1750 * This function will return a value of the #gnutls_sign_algorithm_t
1751 * enumeration that is the signature algorithm that has been used to
1752 * sign the OCSP response.
1753 *
1754 * Returns: a #gnutls_sign_algorithm_t value, or a negative error code
1755 * on error.
1756 **/
1757 int
1759 {
1761 gnutls_datum_t sa;
1766 {
1769 }
1776 }
1778 /**
1779 * gnutls_ocsp_resp_get_signature:
1780 * @resp: should contain a #gnutls_ocsp_resp_t structure
1781 * @sig: newly allocated output buffer with signature data
1782 *
1783 * This function will extract the signature field of a OCSP response.
1784 *
1785 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1786 * negative error value.
1787 **/
1788 int
1791 {
1795 {
1798 }
1802 {
1805 }
1808 }
1810 /**
1811 * gnutls_ocsp_resp_get_certs:
1812 * @resp: should contain a #gnutls_ocsp_resp_t structure
1813 * @certs: newly allocated array with #gnutls_x509_crt_t certificates
1814 * @ncerts: output variable with number of allocated certs.
1815 *
1816 * This function will extract the X.509 certificates found in the
1817 * Basic OCSP Response. The @certs output variable will hold a newly
1818 * allocated zero-terminated array with X.509 certificates.
1819 *
1820 * Every certificate in the array needs to be de-allocated with
1821 * gnutls_x509_crt_deinit() and the array itself must be freed using
1822 * gnutls_free().
1823 *
1824 * Both the @certs and @ncerts variables may be NULL. Then the
1825 * function will work as normal but will not return the NULL:d
1826 * information. This can be used to get the number of certificates
1827 * only, or to just get the certificate array without its size.
1828 *
1829 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1830 * negative error value.
1831 **/
1832 int
1836 {
1843 {
1846 }
1850 {
1853 }
1856 {
1864 {
1867 }
1871 {
1875 }
1880 {
1883 }
1884 ctr++;
1887 GNUTLS_X509_FMT_DER);
1889 {
1892 }
1896 }
1904 else
1905 {
1906 /* clean up memory */
1909 }
1913 error:
1919 }
1921 /* Search the OCSP response for a certificate matching the responderId
1922 mentioned in the OCSP response. */
1923 static gnutls_x509_crt_t
1925 {
1929 gnutls_datum_t riddn;
1934 {
1937 }
1941 {
1945 }
1948 {
1955 {
1958 }
1962 {
1965 }
1969 {
1973 }
1981 {
1984 }
1985 }
1990 quit:
1997 }
1999 static int
2001 gnutls_x509_crt_t signercert,
2004 {
2012 {
2015 }
2019 {
2022 }
2027 {
2030 }
2034 {
2037 }
2041 {
2044 }
2048 {
2051 }
2055 {
2058 }
2060 {
2063 }
2064 else
2069 done:
2075 }
2078 {
2087 else
2091 }
2094 {
2100 {
2104 NULL);
2106 {
2109 }
2111 {
2114 }
2116 {
2118 }
2121 {
2124 }
2126 }
2129 }
2131 /**
2132 * gnutls_ocsp_resp_verify_direct:
2133 * @resp: should contain a #gnutls_ocsp_resp_t structure
2134 * @issuer: certificate believed to have signed the response
2135 * @verify: output variable with verification status, an #gnutls_ocsp_cert_status_t
2136 * @flags: verification flags, 0 for now.
2137 *
2138 * Verify signature of the Basic OCSP Response against the public key
2139 * in the @issuer certificate.
2140 *
2141 * The output @verify variable will hold verification status codes
2142 * (e.g., %GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND,
2143 * %GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM) which are only valid if the
2144 * function returned %GNUTLS_E_SUCCESS.
2145 *
2146 * Note that the function returns %GNUTLS_E_SUCCESS even when
2147 * verification failed. The caller must always inspect the @verify
2148 * variable to find out the verification status.
2149 *
2150 * The @flags variable should be 0 for now.
2151 *
2152 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
2153 * negative error value.
2154 **/
2155 int
2157 gnutls_x509_crt_t issuer,
2160 {
2161 gnutls_x509_crt_t signercert;
2165 {
2168 }
2172 {
2174 }
2176 {
2181 {
2184 }
2187 {
2192 }
2196 {
2201 }
2202 }
2206 done:
2211 }
2213 /**
2214 * gnutls_ocsp_resp_verify:
2215 * @resp: should contain a #gnutls_ocsp_resp_t structure
2216 * @trustlist: trust anchors as a #gnutls_x509_trust_list_t structure
2217 * @verify: output variable with verification status, an #gnutls_ocsp_cert_status_t
2218 * @flags: verification flags, 0 for now.
2219 *
2220 * Verify signature of the Basic OCSP Response against the public key
2221 * in the certificate of a trusted signer. The @trustlist should be
2222 * populated with trust anchors. The function will extract the signer
2223 * certificate from the Basic OCSP Response and will verify it against
2224 * the @trustlist. A trusted signer is a certificate that is either
2225 * in @trustlist, or it is signed directly by a certificate in
2226 * @trustlist and has the id-ad-ocspSigning Extended Key Usage bit
2227 * set.
2228 *
2229 * The output @verify variable will hold verification status codes
2230 * (e.g., %GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND,
2231 * %GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM) which are only valid if the
2232 * function returned %GNUTLS_E_SUCCESS.
2233 *
2234 * Note that the function returns %GNUTLS_E_SUCCESS even when
2235 * verification failed. The caller must always inspect the @verify
2236 * variable to find out the verification status.
2237 *
2238 * The @flags variable should be 0 for now.
2239 *
2240 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
2241 * negative error value.
2242 **/
2243 int
2245 gnutls_x509_trust_list_t trustlist,
2248 {
2252 /* Algorithm:
2253 1. Find signer cert.
2254 1a. Search in OCSP response Certificate field for responderID.
2255 1b. Verify that signer cert is trusted.
2256 2a. It is in trustlist?
2257 2b. It has OCSP key usage and directly signed by a CA in trustlist?
2258 3. Verify signature of Basic Response using public key from signer cert.
2259 */
2263 {
2264 /* XXX Search in trustlist for certificate matching
2265 responderId as well? */
2270 }
2272 /* Either the signer is directly trusted (i.e., in trustlist) or it
2273 is directly signed by something in trustlist and has proper OCSP
2274 extkeyusage. */
2277 {
2280 }
2282 {
2283 /* not in trustlist, need to verify signature and bits */
2284 gnutls_x509_crt_t issuer;
2292 {
2297 }
2301 {
2304 }
2307 {
2312 }
2316 {
2321 }
2322 }
2326 done:
2330 }